Details of VAR-201803-2077

ID

VAR-201803-2077

CVE

CVE-2018-5438

TITLE

Philips IntelliSpace Cardiovascular System Unauthorized Access Vulnerability

Trust: 0.8

sources: IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // CNVD: CNVD-2018-02350

DESCRIPTION

Philips ISCV application prior to version 2.3.0 has an insufficient session expiration vulnerability where an attacker could reuse the session of a previously logged in user. This vulnerability exists when using ISCV together with an Electronic Medical Record (EMR) system, where ISCV is in KIOSK mode for multiple users and using Windows authentication. This may allow an attacker to gain unauthorized access to patient health information and potentially modify this information. Philips ISCV The application contains a session deadline vulnerability.Information may be obtained and information may be altered. Philips IntelliSpace Cardiovascular (ISCV) is a comprehensive heart image and information management system. The Philips IntelliSpace Cardiovascular System has an unauthorized access vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. IntelliSpace Cardiovascular version 2.3.0 and prior versions are vulnerable. The system provides viewing of echographic images and a single point of access for physicians

Trust: 2.7

sources: NVD: CVE-2018-5438 // JVNDB: JVNDB-2018-003472 // CNVD: CNVD-2018-02350 // BID: 102847 // IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // VULHUB: VHN-135469

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // CNVD: CNVD-2018-02350

AFFECTED PRODUCTS

vendor:	philips	model:	intellispace cardiovascular	scope:	lte	version:	2.3.0	Trust: 1.0
vendor:	philips	model:	intellispace cardiovascular	scope:	-	version:	-	Trust: 0.8
vendor:	philips	model:	intellispace cardiovascular	scope:	lte	version:	<=2.3.0	Trust: 0.6
vendor:	philips	model:	intellispace cardiovascular	scope:	eq	version:	2.3.0	Trust: 0.6
vendor:	philips	model:	intellispace cardiovascular	scope:	eq	version:	2.3	Trust: 0.3
vendor:	philips	model:	intellispace cardiovascular	scope:	ne	version:	3.1	Trust: 0.3
vendor:	intellispace cardiovascular	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // CNVD: CNVD-2018-02350 // BID: 102847 // JVNDB: JVNDB-2018-003472 // CNNVD: CNNVD-201802-357 // NVD: CVE-2018-5438

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5438
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-5438
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-02350
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201802-357
value:	LOW
Trust: 0.6
IVD:	e2e2dc62-39ab-11e9-8d44-000c29342cb1
value:	LOW
Trust: 0.2
VULHUB:	VHN-135469
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-5438
severity:	LOW
baseScore:	3.3
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-02350
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2e2dc62-39ab-11e9-8d44-000c29342cb1
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-135469
severity:	LOW
baseScore:	3.3
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-5438
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.0
impactScore:	5.2
version:	3.0
Trust: 1.8

sources: IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // CNVD: CNVD-2018-02350 // VULHUB: VHN-135469 // JVNDB: JVNDB-2018-003472 // CNNVD: CNNVD-201802-357 // NVD: CVE-2018-5438

PROBLEMTYPE DATA

problemtype:

CWE-613

Trust: 1.9

sources: VULHUB: VHN-135469 // JVNDB: JVNDB-2018-003472 // NVD: CVE-2018-5438

THREAT TYPE

local

Trust: 0.9

sources: BID: 102847 // CNNVD: CNNVD-201802-357

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201802-357

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-003472

PATCH

title:	Philips IntelliSpace Cardiovascular Vulnerabilities (24-JAN-2018)	url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 0.8
title:	Philips IntelliSpace Cardiovascular Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78450	Trust: 0.6

sources: JVNDB: JVNDB-2018-003472 // CNNVD: CNNVD-201802-357

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5438	Trust: 3.6
db:	ICS CERT	id:	ICSMA-18-025-01	Trust: 3.4
db:	BID	id:	102847	Trust: 2.0
db:	CNNVD	id:	CNNVD-201802-357	Trust: 0.9
db:	CNVD	id:	CNVD-2018-02350	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-003472	Trust: 0.8
db:	IVD	id:	E2E2DC62-39AB-11E9-8D44-000C29342CB1	Trust: 0.2
db:	VULHUB	id:	VHN-135469	Trust: 0.1

sources: IVD: e2e2dc62-39ab-11e9-8d44-000c29342cb1 // CNVD: CNVD-2018-02350 // VULHUB: VHN-135469 // BID: 102847 // JVNDB: JVNDB-2018-003472 // CNNVD: CNNVD-201802-357 // NVD: CVE-2018-5438

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsma-18-025-01	Trust: 3.4
url:	https://www.usa.philips.com/healthcare/about/customer-support/product-security	Trust: 2.0
url:	http://www.securityfocus.com/bid/102847	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5438	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5438	Trust: 0.8
url:	http://www.usa.philips.com/	Trust: 0.3

sources: CNVD: CNVD-2018-02350 // VULHUB: VHN-135469 // BID: 102847 // JVNDB: JVNDB-2018-003472 // CNNVD: CNNVD-201802-357 // NVD: CVE-2018-5438

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102847

SOURCES

db:	IVD	id:	e2e2dc62-39ab-11e9-8d44-000c29342cb1
db:	CNVD	id:	CNVD-2018-02350
db:	VULHUB	id:	VHN-135469
db:	BID	id:	102847
db:	JVNDB	id:	JVNDB-2018-003472
db:	CNNVD	id:	CNNVD-201802-357
db:	NVD	id:	CVE-2018-5438

LAST UPDATE DATE

2024-11-23T22:52:10.943000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-02350	date:	2018-01-31T00:00:00
db:	VULHUB	id:	VHN-135469	date:	2018-04-20T00:00:00
db:	BID	id:	102847	date:	2018-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2018-003472	date:	2018-05-24T00:00:00
db:	CNNVD	id:	CNNVD-201802-357	date:	2018-03-21T00:00:00
db:	NVD	id:	CVE-2018-5438	date:	2024-11-21T04:08:48.277

SOURCES RELEASE DATE

db:	IVD	id:	e2e2dc62-39ab-11e9-8d44-000c29342cb1	date:	2018-01-31T00:00:00
db:	CNVD	id:	CNVD-2018-02350	date:	2018-01-31T00:00:00
db:	VULHUB	id:	VHN-135469	date:	2018-03-20T00:00:00
db:	BID	id:	102847	date:	2018-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2018-003472	date:	2018-05-24T00:00:00
db:	CNNVD	id:	CNNVD-201802-357	date:	2018-02-12T00:00:00
db:	NVD	id:	CVE-2018-5438	date:	2018-03-20T17:29:00.363